Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-20-2003, 05:12 PM
|
#1
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Rep:
|
SSH2 and PermitRootLogin=No
With SSH1 there was a way to PermitRootLogin=No and still allow root to do some commands remotely to facilitate some system administration but not an unrestricted logon in the authorizedkeys file. I need to do this with SSH2, however, I have been unsuccessful.
I would greatly appreciate some assistance
Thanks in advance,
Mark
|
|
|
10-21-2003, 05:14 PM
|
#2
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Is there any problem to login with another user & 'su -' to root user?
|
|
|
10-21-2003, 06:27 PM
|
#3
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Original Poster
Rep:
|
Thats exactly what we want. We want people to logon and then su for an audit trail. However, we still need the ability to push changes out after you have su'd on one server to the others with scp or sftp.
Mark
|
|
|
10-22-2003, 05:11 AM
|
#4
|
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458
Rep:
|
Ok, I'm not sure I fully understand what you are trying to achieve...
I think you want to copy changes on one machine to other machines with scp/sftp..
If someone logs in and su - to root, they can then scp/sftp from there to another machine.
Usually for maintenance, if this is a common repetitive action, it can be scripted. It depends on whether you want to use shared keys or just passwords.
I usually make a softlink to any file I have changed into a "transfer" directory, then list the softlinks with ls -l to catch the original file name, and then scp those files to other destinations in one action. (using shared keys)
This requires root privelege coz some files are only root accesible and writeable...
Last edited by peter_robb; 10-22-2003 at 05:12 AM.
|
|
|
10-22-2003, 09:19 AM
|
#5
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Original Poster
Rep:
|
We don't want to use keys and we don't want people to be able to logon as root. Unfortunately on my lab servers when I set "PermitRootLogin=No" root is no longer capable of moving files around, because in order for the "scp -p file root@server:/somewhere" to happen root must logon. In my Orielly book it indicates that SSH1 (even with PermitRootLogin=No) could be configured to permit root remote login access for a specific command (ie ssh -X root@server ls) but not a full logon. The forces people to logon as themselves and su to root so at least you always know "who" is on the system vs's if people can logon as root it can be very difficult to determine who did what. I could use NFS mounts and perl to move files that change but that is messy when you just need to make a simple change to a file and push it to all the servers scp is much better. Also while I can program in perl and shell languages not all of the admins can. So the desire is to keep this simple and what other sysadmins are familiar with.
Thanks,
Mark
|
|
|
10-22-2003, 11:46 AM
|
#6
|
Member
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631
Rep:
|
Hi mark,
I know what you're trying to do - I've done the same thing and had the same problem. Its all very well doing things manually, but if you've got a file to push out to 200 servers, or a command to run, you can save hours of time by running it from a central point to multiple servers.
One way I got round it was to allow root login, but put some code in root's .profile that blocks logins (the code needs to check the parent process doing the login and just exit if it is ssh, telnet, rsh etc.). You have to be careful, but this can work well.
Another approach you could take is to allow the same thing with a non-root user. This is a lot less flexible (e.g. you can only copy out files where that user has the permissions to write to the directories/files) but is safer and can be used for limited purposes.
Of course, one thing to remember with the root solution is that nothing stops you running rm -r / across all your servers in one command.
|
|
|
10-22-2003, 02:01 PM
|
#7
|
Senior Member
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467
Rep:
|
Why don't you create a shell script which checks for tasks to be done by a group of machines? For instance you could use perl and it's excellent DBI to query a MySQL database for commands to be done. That way you can easily create a webmanagement area for your servers :-)
|
|
|
10-22-2003, 03:02 PM
|
#8
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Original Poster
Rep:
|
Hey Iainr,
I like that idea. I had not thought of that and I have done some similiar stuff with Tier 1's .profiles to limit thier access. I'll give it a shot.
Thanks!!
|
|
|
10-22-2003, 03:02 PM
|
#9
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Original Poster
Rep:
|
Hey Markus,
Your idea would work as well....but honestly.....I just think a couple of the other admins would not like giving up their scp ability. So I guess more for political reasons vs's techinical that can't be done........
|
|
|
10-23-2003, 06:08 AM
|
#10
|
LQ Newbie
Registered: Oct 2003
Location: Kent, England
Distribution: RH9 and Debian 3.0r1
Posts: 11
Rep:
|
Why do you want to force changes across the platforms? Can you not
use a DNS style change policy where servers automatically expire their
configs after 'n' days and then recollect the new versions? This would
remove the requirement for root scp at all, all configs could be stored on
a central system under a different user.
Whilst you would sacrifice immediacy, you would gain a lot more stability
and security. Pull rather than push, always easier to maintain.
--
\ /
\/\/ isey
|
|
|
10-23-2003, 11:48 AM
|
#11
|
LQ Newbie
Registered: Sep 2003
Posts: 12
Original Poster
Rep:
|
True that is indeed another way of doing things and for items that change regularly we have something like that in place. However, some of the people with a valid "root" requirement are not local and will provide strong opposition to the increased security if we don't facilitate a less intrusive way for them to continue business as usual. So as always security must maintain that balance of "risk vs's requirements".
Thanks,
Mark
|
|
|
All times are GMT -5. The time now is 05:43 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|